Wednesday, 30 April 2014

Today’s judgment of the Court of Justice of the European
Union (CJEU) in Pfleger confirmed an
important issue as regards the scope of the EU Charter of Fundamental Rights –
but also raised some implicit questions about its added value in such cases.

The case concerned Austrian restrictions on gambling machines.
In fact, the CJEU has decided very many cases relating to national restrictions
on gambling, an issue which is not regulated by detailed EU legislation but
which is nonetheless in principle subject to EU internal market law. Here, the
parties challenging the enforcement of the Austrian law raised questions
concerning the compliance of that law with the EU Charter, in particular as
regards Articles 15 to 17 of the Charter (concerning freedom to conduct an
occupation, to run abusiness and the
right to property) and Article 50 (the prohibition on double jeopardy).

Does the Charter
apply?

Article 51 of the Charter limits the scope of its
application to EU bodies, and to the Member States ‘only’ when they are ‘implementing’
EU law. At first sight, this rule narrows the established scope of the previous
CJEU case law on the scope of human rights protection, which (going back to the
1991 judgment of ERT) had always held
that any national derogations from EU free movement rights had to comply with
human rights obligations as general principles of EU law. On a strict
interpretation, such national derogations could not easily be seen as measures ‘implementing’
EU law, and many academics therefore wondered whether the Charter was narrower
in scope than the general principles.

However, last year’s judgment in Fransson confirmed that the scope of the Charter was exactly the same
as the scope of the general principles. Logically, it followed that national
derogations from free movement rules are within the scope of the Charter, but
the Pfleger case was the first
opportunity that the Court has had to confirm this.

Comparing internal
market rules and the Charter

Despite the importance of this case from a human rights
perspective, the main issue in the Pfleger
judgment is the compliance of the national rules with EU internal market law.
The CJEU, no doubt exhausted with the amount of litigation on this issue,
simply reiterates its prior case law, and asks the national court to apply it
to the facts. Also, the CJEU does state that if the national restrictions on
gambling do not have any real link to combating crime or social problems, but
are simply a means of increasing tax revenue, then this cannot be justified – but
it relies on the national court’s findings in this regard.

What does the Charter add to this? On the facts of this
case, not very much. According to the CJEU, if the national law restricted internal
market freedoms, then it also restricted the economic rights in Articles 15-17
of the Charter. Equally, if it could not be justified under the internal market
rules, then it could not be justified as a limitation on Charter rights
pursuant to Article 52 of the Charter either.

It should be noted that the Court did not rule that an analysis of the internal market rules in the
Treaty would always lead to the same
result as the Charter analysis. The ruling expressly concerned ‘circumstances
such as those at issue in the main proceedings’. So it is possible to imagine,
for instance, that as regards a different aspect of the free movement of
services more directly connected to human rights than gambling – broadcasting,
for instance – a national restriction might be proportionate from the point of
view of the internal market but a questionable restriction of freedom of
expression. At the very least, a separate application of the internal market
and human rights rules would surely be called for where (for instance) the
content of communications is being restricted.

The Court did not touch on the separate question of whether
the enforcement (as distinct from the
substance) of the national rules needed
to be judged from a human rights perspective, noting only that if the national
rules breached the Treaty rules on internal market freedoms, they could not be
enforced anyway. The Advocate-General’s opinion, in contrast, assumed that if
the national rules were substantively in compliance with internal market law
and the Charter, the details of their enforcement could still be tested for
compliance with the Charter.

Implications of the
judgment

While this judgment only concerned national derogations from
internal market Treaty freedoms, there is no reason to think that its impact is
limited to such cases. There is a lot of EU legislation on different issues
which allows Member States to derogate in various ways from its rules, and
there is no reason to think that the internal market Treaty provisions are in
some way special as regards the scope of application of the Charter.

In particular, as discussed already on this blog, the
national derogations from the e-privacy Directive, as regards data retention
and other forms of interception of telecommunications, are subject to the
Charter, even following the annulment of the data retention Directive. The
Court has already examined such national derogations in the context of civil
proceedings, and logically should do so as regards criminal proceedings too.

‘In capitalist countries, the bank robs YOU’. Rightly or
wrongly, this phrase sums up the reaction of many EU citizens (as well as many
of those outside the EU) to the bank bailouts and austerity of the last few
years. The reaction to these concerns has been a series of populist measures by
the EU – a restriction on short-selling (upheld by the CJEU), criminal penalties for market abuse, and a possible financial transactions tax (FTT).

As widely expected, the CJEU today ruled against the UK’s
legal challenge to the plans of a group of EU Member States to impose an FTT.
In the form proposed by the European Commission, the FTT could possibly do
significant damage to the UK’s financial industry, based in the City of London.
So at first sight, the failure of the UK’s legal challenge today looks like a
significant setback to the City. However, in reality it is no such thing, since
the UK will still be able to bring a separate legal challenge to the FTT, if
and when it is finally adopted – and such a challenge would have a much better
chance of being successful.

Background

Far from being a ‘one size fits all’ template, for many
years EU law has provided for a number of different possibilities for some
Member States to go ahead and adopt EU measures without all Member States
participating. This is known in EU jargon as ‘differentiated integration’.

The best known of these possibilities are the rules on the
EU’s single currency (along with some related rules on bailouts and economic
governance) and on EU Justice and Home Affairs Law. But also there is a lesser
known possibility for some Member States to go ahead without the others in any
area of EU law, known as ‘enhanced cooperation’.

This possibility was first introduced by the Treaty of
Amsterdam (in force 1999), but it was subject to strict rules, such as a de
facto veto for each Member State. To make it easier for these rules to be used,
particularly in light of the planned large enlargement of the EU, they were
amended by the Treaty of Nice (in force 2003). They were amended again by the
Treaty of Lisbon (in force 2009), and they have been used in practice three
times since that point.

The first use of the enhanced cooperation rules was to adopt
a Regulation on the choice of law in divorce in 2010. This proved
uncontroversial. Secondly, the EU agreed in 2011 to create a unitary patent for
a large number of Member States. Spain and Italy could not agree to the details
of this proposal, since they wanted equal status for their languages. They
brought a legal challenge to the Council’s decision to authorise enhanced
cooperation in this case, but the Court of Justice of the European Union (CJEU)
dismissed this challenge in 2013.

The third use of the enhanced cooperation procedure was to
authorise a group of Member States to adopt an FTT. As noted already, the UK’s
challenge to the decision authorising the FTT was dismissed today.

So why is the UK’s failure today not really a significant
setback? The reason is that enhanced cooperation is a two-step procedure. First
of all, the EU Council authorises a group of Member States to go ahead in a
particular area. These authorisation decisions do not go into any detail about
the law concerned. Secondly, the EU institutions then negotiate the details of
the legislation which will apply to the participating Member States. This is
known as the measure ‘implementing’ enhanced cooperation.

When the enhanced cooperation procedure was used for the
first time (as regards choice of law in divorce), the Council very quickly
agreed on the measure implementing enhanced cooperation. However, on the second
occasion when this procedure was used (the unitary patent), it took nearly two
years for the EU to adopt the legislation implementing enhanced cooperation.
This was due to a need to agree these implementing rules with the European
Parliament, as well as very difficult talks between Member States on a separate
treaty creating a Unified Patent Court, particularly because it was hard to
agree (among other things) where that Court would be located.

Similarly, although the Commission proposed legislation to
set up an FTT back in 2011, and tabled a revised version of this proposal in
2013, once the EU authorised enhanced cooperation as regards the FTT, the
participating Member States clearly appear to have difficulties reaching
agreement on this proposal (each of the participating Member States has a
veto).

Certainly, the Commission proposal is objectionable from the
UK’s point of view. It provides not only for taxing transactions which take
place in the financial markets of the participating Member States (reasonably
enough), but also for taxing transactions which take place in the financial
markets of non-participating Member
States – as long as one of the parties to the transaction is located in a
participating Member State. To this end, the proposal would deem a British bank
to be a French bank (for instance) in certain circumstances.

There is a very good argument that this proposal violates
the EU’s rules on free trade in the internal market, and interferes with the
taxation powers which would normally belong to the UK and other participating
Member States. The EU Treaties require any enhanced cooperation to be
consistent with those rules. Indeed, it is widely known that the EU Council
legal service believes that, for these reasons, the Commission’s proposal would
be illegal – if it were in fact adopted.

While the CJEU today rejected those arguments at this stage
of the process, this was simply because the final shape of the FTT has not yet
been decided. It is entirely possible that the participating Member States
might not agree on an FTT at all, or that they might agree on an FTT which does
not contain such elements.

Even if they do agree to adopt the Commission’s proposal,
the UK will be able to challenge that Directive when the time comes. Similarly,
some of Spain’s detailed arguments against the legality of the unitary patent
have been raised in a second legal challenge (still pending) which that country
has brought against the legality of the EU measures implementing enhanced
cooperation in this field.

Conclusion

If the UK had been successful today, it would have ended any
prospect of an FTT for the time being. Its failure keeps the prospect of an FTT
alive. But because the Court of Justice rightly did not rule on the merits of
the UK’s case against the Commission proposal – simply because that proposal
has not yet been adopted – the UK has only lost a minor skirmish, not the war.

The mere fact of bringing this legal challenge has made it
clear to the participating Member States that the UK will vigorously defend its
legal position, and may therefore have contributed to their difficulties in
agreeing to the Commission proposal. And the government’s legal action,
although unsuccessful, may yet play some role in ensuring that an FTT, if one
is finally agreed, does not have an extraterritorial scope.

Without extraterritorial features, an FTT would of course
not raise as much money. Then again, the UK could also reduce its budget
deficit if it could (for instance) collect a toll from drivers on German
motorways, or tax all the cheese bought in France. The absurdity of these
scenarios shows why a future British legal challenge to the final FTT, if such
a challenge is necessary, would have a much greater chance of success.

Thursday, 24 April 2014

Last autumn's huge loss of lives near Lampedusa, when hundreds of migrants drowned in the Mediterranean, was one of the latest and most dramatic death tolls in the recent history of irregular crossing of that sea. It ought to have led to a complete rethink of EU policy toward border controls and visas, but did not - doubtless because of the belief that far-right parties would capitalise on the increased public concern about migration that would result.

Of course, irregular migration flows are 'mixed': they consist of some people with a legitimate need for international protection, as well as some people who don't have such a need. The former group has a right to enter and stay on Member States' territory, while the latter group in principle does not - although this obviously doesn't mean that such migrants should be left to drown.

While no potential solution to this dilemma is simple, or would solve all the related problems, a move towards greater external processing of asylum seekers would clearly be a step in the right direction. It would mean that at least some of those migrants with a legitimate need for international protection would be able to obtain safe passage to EU Member States' territory without having to risk crossing the Mediterranean in unsafe vessels, having had to pay unscrupulous smugglers a fortune to arrange their journey.

For the last decade, the idea of external processing of asylum applications was tarnished by its association with suggestions made by Tony Blair for a new approach to asylum seekers coming to Europe. His ideas, which seemed to have been worked out on the back of an envelope, and were clearly inspired by Australia's 'Pacific solution' to refugees, envisaged external processing as the exclusive route for asylum seekers to obtain refuge in the EU.

They were incompatible with human rights obligations, and entailed a degree of cooperation from third countries which either would not have been offered, or should not have been accepted if it was. This approach might have entailed agreements with Khadafy's Libya, or Putin's Russia, to host refugees and asylum seekers. If Putin were currently in a position to release many thousands of refugees who wished to make their way to the EU, the Union's reaction to his annexation of Crimea and sabre - rattling in eastern Ukraine would be even milder than it is already - if that's possible.

A new approach

Blair's ideas have been kicked into the long grass several times by the EU. But certainly the idea of joint external processing in principle has merit, if it has completely different premises from his suggestions. In particular, such processing should in no way prejudice applications made at the border or on the territory of Member States, and must entail the entry and stay of persons with international protection needs either on the territory of Member States, or on the territory of third countries which offer an equivalent level of protection. Nor should joint processing prejudice the resettlement of those groups of persons (such as Syrian refugees) whose need for international protection is obvious.

However, the EU will need time to work out the details of joint processing, for instance how to allocate the beneficiaries of international protection between Member States. In the meantime, there is now a perfect opportunity to adopt rules on purely national external processing of asylum applications, in the form of the proposed amendments to the Schengen visa code.

This is the second of four posts on this blog dealing with these proposed amendments. The first post dealt with the impact of the proposals on EU citizens’ third-country national family members, and the remaining posts will deal with the substance of the proposals as regards short-term Schengen visas and the newly proposed ‘touring visa’.

The proposed amendments to the visa code retain the existing possibility for Member States to issue a short-term visa with ‘limited territorial validity’ (LTV), ie the visa is not valid in all Schengen states, but rather valid usually in only the single Schengen State which issues it. But admission to only one Member State is clearly better than facing a risk of harm outside the EU. Once the visa expires, the person concerned can be given a longer-term residence document; in fact, the EU’s qualification Directive requires that a recognised refugee or beneficiary of subsidiary protection must receive a residence permit, and the EU Directive on asylum procedures specifies that in principle asylum-seekers cannot be removed from a Member State’s territory before a decision is made on their application.

The new proposal would make no substantive changes to the current rules in the visa code on LTV visas (see Article 22 of the proposal, as compared to Article 25 of the current code). However, it would be open to the European Parliament and the Council to insist that changes ought to be made.

According to the current visa code, and the proposed amendments, an LTV visa ‘shall be issued…when the Member State concerned considers it necessary on humanitarian grounds, for reasons of national interest or because of international obligations’. The important point is that an LTV visa can be issued where the usual conditions for issuing a visa are not met, for instance where there is insufficient evidence of an intention to return to the country of origin. Obviously, where a person has a genuine protection need, a reluctance to return to her country of origin is perfectly understandable; indeed, it is built into the very definition of refugee or subsidiary protection status (ie a well-founded fear of suffering persecution or serious harm in that country).

It should be noted that the CJEU has recently ruled in the Koushkaki judgment that in principle an ordinary Schengen visa must be issued when the applicant satisfies the criteria to obtain one, subject to a wide degree of discretion for Member States’ authorities to assess whether those criteria are satisfied. Does the same rule apply to LTV visas? At first sight, it does, due to the word ‘shall’, although that is qualified by the words ‘considers it necessary’.

Arguably, at least in cases involving a potential international protection need, the EU Charter of Fundamental Rights requires that where a person applies for a visa from a (Schengen) Member State, the existence of such a need must be considered if it is alleged, and an LTV visa must be issued if such a protection need exists. The Member State’s Charter obligations would also be satisfied if it issues an LTV visa to the person concerned when the application for international protection is made, and considers the merits of the application while that person is on its territory.
It can hardly be denied that EU law (and therefore the Charter) applies whenever a third-country national applies for a visa from a Schengen Member State.

The substantive law applicable to the consideration of the application would be the EU’s Qualification Directive, since that Directive does not limit its geographical application. However, the EU’s legislation on asylum procedures and reception conditions only applies to applications made at the border or on the territory of Member States. But since the EU Charter applies to applications for visas made on the territories of third States, it must follow that some basic standards compliant with the Charter would apply to the procedures and reception conditions would still be applicable. There would be no need to decide which Member State is responsible for considering the application, since the EU’s Dublin rules are subject to the same geographic limitations.

If this interpretation is correct, the current and proposed visa codes already include implicit rules covering those applying for international protection. However, it would be preferable to include express rules to this effect. There would be no need for elaborate provisions on this issue, since the details of such purely national forms of external processing of asylum applications do not need to be harmonised in great detail. It would be sufficient to provide that an LTV visa ‘shall be issued…when it is necessary in order to ensure the international protection of the person concerned in accordance with Directive 2011/95 [the Qualification Directive], or when the Member State concerned considers it necessary…’.

This would be a modest but important step towards reducing the appalling death toll of those migrants who cross the Mediterranean in search of a new life in the European Union.

Wednesday, 23 April 2014

For many years, discussion as regards the EU and human rights has focussed on the growing role of the EU Charter of Fundamental Rights and the EU’s planned accession to the European Convention on Human Rights. This is understandable, given the importance of these developments. However, the EU’s relationship with other international human rights instruments is also worthy of further examination.

The EU is not able to sign up to older UN human rights treaties – such as the two Covenants and the Conventions relating to sex discrimination, race discrimination and migrant workers – because ratification of these instruments is only open to States. Similarly, only States can ratify ILO Conventions, although the EU sometimes coordinates its Member States’ position as regards ILO measures (see the discussion of the proposal to coordinate positions regarding new ILO forced labour measures).

However, more recent international human rights treaties do provide for possible accession by the EU, and indeed the Union has signed up to the UN Convention on the Rights of Disabled Persons (see the recent Z judgment of the CJEU).
With the imminent entry into force of the Council of Europe’s Istanbul Convention on violence against women (which will come into force on 1 August 2014, after the deposit of the tenth ratification on April 22nd), the question now arises whether the EU should sign up to another human rights treaty. This post sets out the reasons why the EU should ratify the Convention at the earliest opportunity.

EU competence to ratify the Istanbul Convention

The EU is certainty competent to ratify the Istanbul Convention, if it wishes to do so. First of all, the Convention expressly provides (in Article 75(1)) for ratification by the EU, without setting any special condition in this respect.

Secondly, as a matter of internal EU law, the EU can sign up to any treaties which are (inter alia) ‘likely to affect common rules or alter their scope’ (Article 216 TFEU). Although EU law has not regulated the key substantive criminal law issues dealt with in the Istanbul Convention, the Convention does not limit itself to establishing rules concerning criminal liability, but also addresses a number of other issues. In particular, there are EU law measures concerning the Convention’s rules on: crime victims’ rights, cross-border application of protection orders (both civil and criminal), other forms of cross-border cooperation, and immigration and asylum issues (see the detailed list in the Annex).

It must be pointed out that if the EU ratifies the Istanbul Convention, it would not be replacing its Member States, but ratifying the Convention alongside them. In other words, the Convention would be another ‘mixed agreement’ which both the EU and its Member States have ratified, like the UN Disabilities Convention, (in future) the ECHR and many other treaties. The EU would not be legally obliged to adopt any more legislation affecting the issue of violence against women than it already has done. While I have argued before that there are good reasons (and legal powers) for the EU to adopt legislation establishing substantive criminal law rules in this field, this is a separate question from whether the EU ought to ratify the Convention.

Reasons why the EU should ratify the Istanbul Convention

First of all, the EU’s ratification of the Convention would provide encouragement to its Member States, as well as non-Member States of the EU, to ratify the Convention. It would increase the prominence of the Convention worldwide, perhaps inspiring changes to national law and regional treaty-making outside Europe.

Secondly, ratification would, as regards this Convention at least, address the argument that the EU has ‘double standards’ as regards human rights, insisting that would-be EU Member States and associated countries should uphold human rights standards that the EU does not apply itself. While the double standards argument can be answered as regards human rights treaties which the EU cannot ratify, it cannot so easily be rebutted as regards treaties which it can. If the EU is perfectly able to ratify the Istanbul Convention, but chooses not to, what moral authority does it have to ask non-Member States to do so?

Ratification of the Convention would enhance its role in EU law, because it could more easily be used as a parameter for the interpretation and validity of EU legislation (such as the legislation listed in the Annex, plus any future relevant measures). It would also mean that the Convention would already bind those EU Member States which had not yet ratified it, as regards those provisions within EU competence.

Furthermore, since the CJEU would have jurisdiction to interpret those provisions of the Convention which fall within the scope of EU competence, this would promote a uniform interpretation of those provisions within the EU.

Next, the relevant provisions of the Convention would be more enforceable if they were enshrined in to EU law. While the CJEU ruled in the Z case that the UN Disabilities Convention did not have direct effect, and might rule the same as regards the Istanbul Convention, at least that Convention would have ‘indirect effect’ (ie the obligation to interpret EU law consistently with it), and the Commission could bring infringement actions against Member States which had not applied the Convention correctly, as regards issues within the scope of EU competence. Ensuring the enforceability of the Convention is all the more important since it does not provide for an individual complaint system.

Finally, ratification would subject the EU to outside monitoring as regards this issue, and avoid the awkward scenario of its Member States being monitored as regards issues within EU competence – meaning that the Convention’s monitoring body would in effect to some extent be monitoring whether EU Member States were complying with EU law.

[Update: the Commission proposed that the EU should sign and conclude the Convention in March 2016. See discussion here.]

Sunday, 20 April 2014

Following the annulment of the EU’s data retention Directive by the CJEU, an obvious important question arises: are national data retention laws subject to the same ruling of the Court? The purpose of this post is to set out the reasons why they are.

The starting point for this analysis is Article 51 of the EU’s Charter of Fundamental Rights, which states that the Charter applies to the EU institutions and other EU bodies, but to the EU’s Member States ‘only’ when they are ‘implementing’ EU law. What does that mean?

On the narrowest interpretation, Member States ceased to be implementing EU law on data retention from the moment that the data retention Directive became invalid. After all, from that point, there was no EU data retention law to implement. However, it is arguable that Member States can still be regarded as ‘implementing’ EU law where their national legislation was introduced to implement an EU obligation. It’s a novel point, because it’s rare for the CJEU to annul EU laws on substantive grounds. And where the Court has done so, it has more often annulled only a small part of those EU laws (in the Test-Achats judgment, for instance).

But that is merely an alternative argument that the EU Charter continues to apply to national data retention law. The main argument is based on solidly established case law of the CJEU regarding the scope of EU human rights protection where Member States derogate from EU law.

EU human rights rules and national derogations from EU law

As far back as 1991, the CJEU ruled in the ERT case that where Member States derogate from EU internal market rules, they are still subject to EU human rights obligations (which then took the form only of the EU’s ‘general principles of law’, since the Charter was not yet a gleam in anyone’s eye). This was confirmed in the Familiapress judgment, as regards exceptions from the internal market rules which are based on the CJEU’s ‘rule of reason’ case law, rather than the express exceptions in the Treaties.

Does the Charter take the same approach? While many assumed that the word ‘implementing’ in the text of Article 51 suggested a narrower interpretation than under the prior case law, in its judgment in Fransson the CJEU stated that its prior case law regarding the scope of the general principles applied equally to the Charter. While that judgment did not concern derogations from EU law, the CJEU should shortly be ruling on this point in the case of Pfleger (judgment due 30th April), where the Advocate-General’s opinion assumes as much. Pending the possible confirmation in that judgment, it should be assumed for the time being that the Charter does indeed apply to national derogations from EU law, given that the CJEU made no distinction in Fransson as regards the aspects of its prior case law which were still applicable.

In any event, even if the Charter does not apply to national derogations from EU law, the general principles still do, given that they have a continued existence independent from the Charter in Article 6(3) TEU.

Applying the case law

Two further issues arise. First of all, does EU human rights law apply where Member States are not derogating from EU internal market rules in the Treaty, but from other rules of EU law? In principle it should, given that the Treaties list other EU objectives besides the creation of an internal market. Why should EU human rights rules only apply as regards national derogations from EU rules in one particular area of EU law, but not as regards derogations from EU rules in other areas of law?

Anyway, the CJEU has in effect confirmed that Member States are bound by the Charter and the general principles even where the law in question does not concern the internal market. In EP v Council and the subsequent case of Chakroun, the CJEU ruled that national derogations from the EU’s family reunion Directive had to comply with human rights obligations, without suggesting any distinction in this regard between national derogations from EU internal market rules in the Treaty and national derogations from other EU rules set out in EU legislation.

Secondly, is there an EU law rule that Member States are derogating from when they continue to apply national data retention laws? Indeed, there is: Article 15(1) of the EU’s e-privacy Directive specifies that Member States may restrict the rights in that Directive relating to the confidentiality of communications, location and other traffic data and caller identification:

'when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.'

In fact, the CJEU has ruled repeatedly on the application of the Charter to cases where copyright holders have invoked this clause to justify planned restrictions upon Internet use (see most recently the Telekabel Wienjudgment). There is no reason why the CJEU would not also apply the clause to data retention on crime-fighting grounds, given that the second sentence of Article 15(1) refers expressly to data retention and the first sentence refers expressly to criminal law.

Finally, while some forms of data retention might fall outside the scope of the e-privacy Directive, which in principle applies to telecommunications service providers (not, for instance, to social networks or search engines), those other forms of data retention would anyway fall within the scope of the similar Article 13 of the main data protection Directive, given that they would clearly constitute the processing of personal data within the scope of that Directive. Neither the ‘household exception’ to that Directive nor the exception for processing in the field of criminal law would apply – since the data retention would be taking place in the context of a commercial activity (since the judgment on the legal base of the data retention Directive by analogy).

[Update: see discussion of the later Pfleger judgment here. Two cases on national data retention laws were later referred to the CJEU; see discussion of them here.]

Wednesday, 16 April 2014

While many employees jokingly refer to themselves as ‘wage slaves’, millions of people worldwide are actually forced to supply their labour – a modern form of slavery. Alongside sexual exploitation, labour exploitation constitutes a particular form of trafficking in persons.

In recent years, the chief international actors combatting trafficking in persons have been the United Nations (adopting a Protocol to the Convention on Organised Crime), and (within Europe), the Council of Europe, adopting a Convention on the topic. However, there is another long-standing actor in the field: the International Labour Organisation (ILO), which has particular expertise as regards labour exploitation. Due to concerns that its existing treaties, notably Convention 29 of 1930, are not being fully applied (see the 2013 experts’ report for details), the ILO is considering the adoption of a Protocol and/or a Recommendation relating to that Convention in the near future.

The draft Protocol consists of only six short Articles. It starts with a general obligation for States to prevent and eliminate forced labour, and then sets out a more concrete obligation to adopt action plans to this end. States would have to take ‘specific action against trafficking in persons’ as regards labour or sexual exploitation. They would also have to take steps to educate the public, to broaden the coverage of labour law and strengthen inspection services, and to protect workers who use placement services, particularly migrant workers, against abuse.

Next, States would have to secure the identification, recovery, release and rehabilitation of victims of forced labour. They would also have to secure access to remedies for victims, including compensation. Victims would also have to be exempted from liability as regards crimes which they were forced to commit.
Finally, there would be a general obligation for States to cooperate with each other, and the Protocol would specify that States would enforce its rules by means of national law.

As for the draft Recommendation, it sets out further details as regards the substance of the draft Protocol. It includes provisions on: gathering statistics relating to forced labour; skills training for vulnerable groups; programmes to combat related discrimination; the promotion of freedom of association for at-risk groups; setting out terms and conditions of work in a contract; basic social security guarantees; pre-departure orientation for migrants; coherent labour and immigration policies, which take account of the risks posed to irregular migrants; and efforts to reduce the trade in and demand for goods and services produced by forced labour.

The provisions on victims’ protection would be conditional on victims’ informed consent, but conversely could not be conditional on their willingness to participate in criminal proceedings. There would be more details on the specific forms of protection which should be granted to victims (protection from retaliation, housing, health care, privacy, and social assistance). For migrants, there should be a reflection and recovery period, the provision of residence permits ‘as appropriate’ and the facilitation of ‘preferably’ voluntary repatriation.

As regards access to justice, there should be rules allowing representatives to act on behalf of victims, a right for victims to get compensation from perpetrators, (state) compensation schemes, information for victims, and access to court. Enforcement rules should include providing for penalties, including confiscation of profits alongside penal sanctions and liability for legal persons.

EU law aspects

But how does this relate to EU law? The EU has not comprehensively regulated forced labour as such, but a number of separate EU measures do touch on aspects of the issue. In particular, an EU Directive adopted in 2011 regulates the criminal law aspects of trafficking in persons, while a 2004 Directive regulates the immigration status of trafficking victims. The 2012 Crime Victims’ Directive concerns the status of victims of crime more generally. There is also EU employment law dealing with the issue.

The normal rule relating to EU external competence is that the adoption of internal EU legislation on an issue brings with it external EU competence relating to that issue. That competence becomes exclusive where the EU has fully harmonised the issue in question (see Article 3(2) TFEU). On that basis, the EU has concluded the relevant Protocol to the UN Convention, although it has not signed the Council of Europe Convention on trafficking in persons.

However, there is a complication as regards the planned ILO measures, or indeed any measures emanating from the ILO. Unlike many of the treaties drawn up within the framework of the United Nations or the Council of Europe, only States can be party to ILO legal instruments. This also means that the EU as such cannot fully take part in ILO discussions, even when they concern matters within the scope of EU external competence.

Traditionally, this complication has been addressed by adopting EU measures authorising the Member States to act on the EU’s behalf in the ILO framework, and then authorising Member States to sign and ratify the relevant Conventions which result. For instance, the EU has recently authorised Member States to ratify the ILO Convention on Domestic Workers.

Similarly, the Commission has recently proposed a Council Decision harmonising Member States’ positions as regards the planned ILO Recommendation on forced labour, as well as a separate proposal as regards the possible Protocol (the latter proposal has not been published).

But this process, which is also applicable in other cases where the Member States act on the EU’s behalf in international fora, is not always smooth. For instance: the Commission successfully sued Greece for infringing EU external competence as regards maritime security, within the framework of the International Maritime Organisation; the CJEU has been asked to decide whether the EU has to authorise Member States to admit new countries as parties to the Hague Convention on Child Abduction; and the Court also had to settle a dispute relating to competence relating to earlier ILO treaties on the use of chemicals at work.

More fundamentally, in a pending case, Germany is suing to annul a Council Decision coordinating Member States’ positions in an international wine organisation on behalf of the EU, arguing that the EU’s powers to establish positions in international bodies can only apply where the EU itself is a party to the relevant organisation and/or treaty, not where the Member States are acting on the EU’s behalf. Germany also argues that the EU’s powers can only apply where the organisation concerned will establish legally binding rules; this could arguably be relevant as regards the draft ILO Recommendation.

If the German case is successful (an Advocate-General’s opinion is due in May), then the new proposal obviously cannot be adopted (or would be invalid, if it had been adopted in the meantime). But even if the EU is legally entitled to coordinate Member States’ positions in international conferences, including as regards recommendations, there are several complications resulting from this process.

First of all, the Commission proposal does not mention the difficulty arising from the various opt-outs from EU law which some Member States enjoy. The immigration and criminal law measures referred to do not bind all Member States, while the employment law measures do. So arguably two different Council Decisions might be necessary, in order to address this problem.

Secondly, there might be arguments about the precise extent of the external competence of the EU as compared to the proposed ILO measures. In this case, there are some detailed problems with the Commission proposal, although it is too early to say whether the Council might amend or refuse to adopt the proposal. (For more details of these problems, see the annex below.)

Thirdly, if the EU itself is not party to an international treaty, then the CJEU takes less account of that treaty. Although it has made brief reference to ILO treaties which EU legislation implements (for instance, the Schultz-Hoff judgment on the EU’s working time Directive), this can be compared to (for instance) its more frequent references to the UN Convention on the Rights of Disabled Persons (which the EU has ratified): there have been two such references in the past year (the Ring case and the Zcase).

Fourthly, it sometimes appears as if the institutional arguments over the exact extent of the EU’s external competence take precedence over the substance of the treaty concerned. In this case, the substance of the planned measures on forced labour are extremely important, given that millions worldwide are subject to this severe breach of human rights. Moreover, the EU could usefully take this opportunity to reflect on whether its own legislative framework is sufficient to address this problem.

Unfortunately, since the EU would not be a party to the planned Recommendation or Protocol, it would not be required to carry out such a reflection. And conversely, even if Member States become parties, there is a limit to the effectiveness of any such reflection, given that some of the measures concerned can only be taken by the EU.

While the division of powers between the EU and its Member States in external relations is an inevitable consequence of the rules on EU competence, there is a growing need for the EU and its Member States to find an effective mechanism to ensure that their potentially important contribution to achieving international objectives, such as (but not only) the elimination of forced labour, are not frustrated by the EU’s internal disputes.

The EU has found some creative solutions to these problems, such as the use of ‘mixed agreements’ (treaties which the EU and its Member States are both parties to), and the adoption of EU legislation regulating Member States’ exercise of their external competence in areas closely related to EU law (such as air services agreements). It is long past time for it to adopt measures which effectively coordinate the Member States’ and the EU’s exercise of their competence as regards the legal framework for international human rights protection.

The Commission proposes legal bases relating to criminal law and employment law to adopt the Council Decision. But the preamble also refers to EU immigration legislation and rules on free movement of EU citizens, so the relevant legal bases (Articles 45 and 79 TFEU) logically have to be cited, particularly the immigration legal base given the very close link with the EU legislation concerned. Since the immigration and criminal legislation does not apply to all Member States, arguably there will need to be separate Council decisions to take account of this.

Wednesday, 9 April 2014

Yesterday’s second judgment on data protection is not quite as important as the first, but is very interesting nonetheless. In Commission v Hungary, the CJEU built upon its prior rulings in Commission v Germany and Commission v Austria, as regards the independence of data protection authorities. But implicitly the judgment has rather broader resonance than that.

Background

The EU’s data protection Directive requires data protection authorities to be set up to enforce the rules in the Directive, alongside the possibility of individual court actions. Since the Directive applies to the public and private sectors, and the data protection authorities form part of the public sector, there is an implicit risk that the authorities might be reluctant to challenge the government or the governing parties’ private sector allies, or could otherwise be ‘captured’ by the sectors of industry most impacted by data protection law. To avoid this possibility, the Directive requires Member States to ensure that data protection authorities act ‘with complete independence’.

In Commission v Germany, the CJEU ruled that Germany infringed this rule by providing for too much parliamentary accountability for the data protection authorities. In Commission v Austria, the Member State concerned had breached the law because the data protection authority formally was part of the civil service, giving rise to a possible appearance of partiality.

The judgment

The latest judgment concerned a different issue. Hungary had replaced the individual data protection supervisor with a supervisory board, and had cut short the term of the supervisor when the new board was set up.

In the Court’s view, Hungary had infringed the Directive. As in the Austrian case, the national rules could lead to a situation of ‘prior compliance’ with the government’s wishes (or what might often be called ‘self-censorship’). Here that would result from the threat of early termination of the supervisor’s (or now the supervisory board’s) term.

So, while Member States are free to have different rules on the composition of national data protection authorities, and free to change those rules, any significant changes had to provide for transitional periods to avoid compromising the independence of those authorities.

Comments

The Court’s judgment is unsurprising, in light of its prior case-law. The prospect of early termination of a term of office of a 'independent' supervisor is bound to give rise to the appearance of partiality, if not actual self-censorship. The supervisor concerned might even have doubts about the government's willingness to employ him or her in another job after the termination of the term of office. A government could even put pressure on the private sector not to hire that individual. In any event, the private sector may judge that it is unwise to hire a person who appears not to be in the government's favour.

More broadly, the judgment should also be seen as part of a broader concern about the rule of law in Hungary. This judgment is just one of several actions which the Commission brought, or threatened to bring, due to concerns about possible interference with the central bank, the judiciary and the data protection authorities in that state.

Previously, the Hungarian rules on retirement of judges – which would have entailed a big reduction in the retirement age for current judges, followed by a later retirement age for their replacements – were criticised by the Court of Justice, on the grounds that this would breach the EU’s framework equality Directive as regards age discrimination.
The apparent intent to ‘pack the courts’ via this route was not discussed as such by the CJEU, although the Court’s judges were surely aware of it.

Moreover, the Commission had begun proceedings regarding the independence of the Hungarian central bank, and dropped them due to changes in Hungarian legislation. It had also threatened to bring separate proceedings relating to the independence of the judiciary generally, due to the risk that EU law cannot be properly applied unless judges are impartial. While that argument is sound in principle (whether it is true of Hungary is a separate question), ultimately the Commission decided that a non-judicial approach was better suited to dealing with such situations, and released its recent communication on the rule of law in the EU instead.

It seems as though the CJEU is also determined to follow a cautious path politically. Neither yesterday’s judgment nor the earlier judgment on judicial retirement makes any reference to the broader context. Furthermore, it hardly seems coincidental that yesterday’s judgment came after, not before, last weekend’s election, which saw the current government returned to power. A judgment like this one shows both the strengths and the weaknesses of EU law when fundamental questions like these are raised.

Tuesday, 8 April 2014

On July 7, 2005 a relative of mine started her journey to work on a London tube train. Within half an hour, bombs on that train left by terrorists exploded, in conjunction with three other bombs across London. Dozens of people died (although my relative was not injured).

Understandably, public concern about terrorist incidents, following on from the earlier outrages of 9/11 and the Madrid bombings, led to further EU anti-terrorist legislation. In particular, the British Presidency of the EU Council made it a top priority to adopt legislation providing for retention of a large amount of communications data. But according to the Court of Justice of the European Union (CJEU), in a crucial judgment today, that legislation was essentially an over-reaction to these terrorist atrocities. The Court has effectively prohibited mass surveillance in the EU, and thus taken significant steps to entrench itself as the EU’s constitutional court.Summary of the judgment

As discussed in detail by Chris Jones’ post on this blog, the Directive requires Member States to require telecommunications service providers to retain significant amounts of data on the use of all forms of telecommunications by all individuals within the EU, for a period of between 6 months and 2 years. This data is collected for the use of law enforcement agencies as regards investigations into serious crime or terrorism, but there are no detailed rules in the Directive governing the access to and use of the data by those authorities.
The CJEU only found it necessary to address the question of the validity on the Directive in light of the Charter rights to privacy and data protection (Articles 7 and 8 of the Charter).

First of all, the Court unsurprisingly had no difficulty finding that the Directive interfered with the protection of those two rights. Its analysis focussed instead on whether such an interference could be justified.

The rules on justifying interferences with Charter rights are set out in Article 52 of the Charter. Any limitation upon Charter rights must be laid down by law, respect the essence of the right, and subject to the principle of proportionality, limit rights and freedoms only if it is necessary and genuinely meets public interest objectives and the rights and freedoms of others. The Court easily found that there was a public interest justification (public safety) for the restriction of the Charter rights at issue. It also found that the ‘essence’ of the rights was not affected, because (as regards the right to privacy) the content of communications was not recorded, and (as regards the right to data protection) certain data processing and data security rules had to be respected.

Therefore the key issues in the Court’s ruling were the proportionality of the interference with Charter rights. The Court indicated that judicial review of the EU legislature’s discretion should be ‘strict’ in this case, applying factors such as the area of law concerned, the nature of the right, the nature and seriousness of the infringement and the objective pursued. Here, it followed from the nature of the right and the nature and seriousness of the infringement that the EU legislature’s discretion was reduced; the CJEU took no account expressly of the objective being pursued.

The first aspect of proportionality (the appropriateness of the interference with the right for obtaining the objective) was fulfilled, because the data concerned might be useful to investigations. However, the CJEU found that the Directive was problematic as regards the second facet: the necessity of the measure in question. Crucially the Court ruled that the important objective of investigating serious crime and terrorism did ‘not, in itself’ justify data retention. So for the CJEU, the safety of the people is not the supreme law.

Its analysis proceeded by setting out the general importance of safeguards as regards the protection of privacy and data protection rights (building upon the case law of the European Court of Human Rights). These safeguards are even more necessary when data is processed automatically, with a risk of unlawful access.

Applying this test, the Court gave three reasons why the rules on data retention in the Directive were not strictly necessary. First of all, the Directive had an extremely broad scope, given that it applied to all means of electronic communication, which have ‘widespread and growing importance’ in everyday life, without being sufficiently targeted. Indeed, it ‘entails an interference with the fundamental rights of practically the entire European population’. In other words (the Court does not use the term), it amounts to mass surveillance.

Secondly, besides the ‘general absence of limits’ in the Directive, it failed to limit access to the data concerned by law enforcement authorities, and the subsequent use of that data, sufficiently precisely. In particular: it referred generally to ‘serious crime’ as defined in national law; it did not restrict the purpose of subsequent access to that data; it did not limit the number of persons who could access the data; and it did not control access to the data by means of a court or other independent administrative authority.

Thirdly, the Directive did not set out sufficient safeguards, as regards: the data retention period, for instance as regards the categories of data to be retained for the whole period; the protection of the data from unlawful access and use (here the CJEU criticises the possible limits on protection measures due to reasons of cost); the absence of an obligation to destroy the data; and the omission of a requirement to retain the data within the EU only.Comments

The CJEU reached the same conclusion as the Advocate-General’s opinion, but for different reasons. In the Advocate-General’s view, the Directive was invalid because it breached the ‘quality of law’ requirement applicable to interferences with Charter rights, having failed to establish sufficient safeguards relating to access to and use of the data. It also was disproportionate for failing to explain why storage periods of up to two years were necessary. The Court’s ruling appears to go further, by ruling out mass surveillance in principle.

The opinion discussed some interesting and important issues that the Court does not directly address, in particular: the existence of a ‘quality of law’ requirement as regards breaches of the Charter; whether the EU or the Member States have responsibility for ensuring the satisfaction of that requirement in this case; and the complications of the ‘legal base’ issue, ie the awkward point that inserting safeguards relating to law enforcement authorities might go beyond the ‘internal market’ legal base of the legislation. It might be deduced that the CJEU has a view on these issues: there is a ‘quality of law’ rule; the EU is responsible for upholding that requirement in this case; and the ‘legal base’ point is not a barrier to the EU adoption of rules regulating law enforcement authorities. But unfortunately, the Court did not expressly spell out its reasoning on these issues. It is certainly peculiar that, having ruled previously that the Directive was validly based on EU internal market powers, the CJEU rules here that its interference with Charter rights is justified by the objective of public safety.

As for the reasoning which the Court did provide, as usual it was easy to find public interest objectives for the interference with rights. The most important part of the reasoning is therefore the analysis of the interference with the ‘essence’ of the right, and of proportionality. It is very significant that the Court makes clear that these are two different issues: even if the essence of a right is respected, legislation can be disproportionate. Earlier case law on restriction of rights often seemed to suggest that respecting the essence of rights was sufficient.

Another important aspect of the judgment is the development of a doctrine indicating when strict scrutiny of the EU legislature’s interference with fundamental rights should apply. This is based upon Strasbourg case law, not the standards of national constitutional courts, which have of course addressed this issue in their own way. Obvious questions arise as to whether the same standards should apply to national implementation of EU law, or to Charter rights not based upon the ECHR.

While many data protection specialists argue that there is a fundamental distinction between the right to privacy and the right to data protection, the Court’s judgment only reflects that distinction to a limited degree. It assesses separately whether there is an interference with Articles 7 and 8 of the Charter, and whether the essence of each right has been affected. However, it made no distinction between the rights when assessing the required intensity of judicial review, and linked the two rights together when assessing the proportionality of the interference with them.Consequences of the judgment

First and foremost, the data retention Directive is entirely invalid. The Court did not in any way rule that it could continue in force.
So the immediate consequence is that we return to the status quo before 2005. This means that Member States have an option, not an obligation, to retain data pursuant to the e-privacy Directive (see further Chris Jones’ post on the background to the data retention Directive). However, Member States’ exercise of this option will still be subject to the requirements set out in this judgment, since their actions will fall within the scope of the Charter, given that the e-privacy Directive regulates the issue of interference with telecommunications.

Would it be possible for the EU to adopt a new Directive on mandatory data retention? In other words, can the Directive in some way be ‘fixed’?

First of all, since the 2006 Directive is entirely invalid, the EU legislature has to start from scratch, rather than amend it. Secondly, it is clear from the Court’s judgment that some form of mandatory data retention in order to combat serious crime and terrorism is acceptable from the perspective of the EU Charter.

How would such a new Directive differ from the measure the Court has just struck down? The Court sets out unusually detailed guidelines for the legislature (and, in the meantime, for national legislature) in its judgment.
First of all, any new Directive would have to be in some sense targeted upon communication which has a particular link with serious crime and terrorism. Very simply, mass surveillance is an unjustifiable infringement of Charter rights.

Secondly, a new Directive would have to contain rules on: the definition of ‘serious crime’; the purpose of subsequent access to the data; limits on the number of persons who could access the data; and control of access to the data by means of a court or other independent administrative authority.

Thirdly, the new Directive would have to include stronger rules on the data retention period, for instance as regards the categories of data to be retained for the whole period, as well as the protection of the data from unlawful access and use. It would also have to contain rules on the absence of an obligation to destroy the data, and require that data be retained within the EU only. The Court did not rule on whether subsequent processing of the data in third States would be acceptable, but logically there must be some rules on this issue too. Probably it would be simplest to extend the external processing rules in the main EU data protection legislation to this issue.

Depending on the timing of a proposal for a new Directive (assuming that there is one), it might possibly get mixed up with the conclusion of negotiations over main the main data protection package being negotiated by the EU institutions. Alternatively, if those negotiations have concluded, they will establish a template that the negotiation of the new Directive can take account of.Final comments

The Court’s judgment can be seen in the broader context of continued revelations about mass surveillance. Its reference to the retention of data by third States is a thinly-disguised allusion to the spying scandals emanating from the United States. It also responds, sotto voce, to the very great concerns of national constitutional courts about this Directive, discussed in detail in Chris Jones’ post on this issue.

More broadly, the CJEU has seized the chance to give an ‘iconic’ judgment on the protection of human rights in the EU legal order. Time will deal whether the Digital Rights judgment is seen as the EU’s equivalent of classic civil rights judgments of the US Supreme Court, on the desegregation of schools (Brown) or criminal suspects’ rights (Miranda). If the Charter ultimately contributes to the development of a ‘constitutional patriotism’ in the European Union, this judgment will be one of its foundations.

This post, which examines the numerous legal challenges against the EU's Data Retention Directive at both national and EU level (not including today's judgment), is the third post in a series examining the EU's mandatory data retention legislation, which was struck down today by the Court of Justice of the European Union (CJEU). It is based on work undertaken by Statewatch as part of the SECILE project (Securing Europe through Counter-terrorism: Impact, Legitimacy and Effectiveness).

EU Court of Justice legal basis challenge

The first legal challenge to the Data Retention Directive came when Ireland, supported by Slovakia, asked the EU Court of Justice to annul the Directive on the grounds that it had the wrong legal basis. They argued that the correct legal basis for data retention resided “in the provisions of the EU Treaty concerning police and judicial cooperation in criminal matters,” rather than those on the internal market. The ECJ dismissed the case in February 2009, stating that:
“Directive 2006/24… regulates operations which are independent of the implementation of any police and judicial cooperation in criminal matters. It harmonises neither the issue of access to data by the competent national law-enforcement authorities nor that relating to the use and exchange of those data between those authorities…
“It follows that the substantive content of Directive 2006/24 is directed essentially at the activities of the service provides in the relevant sector of the internal market, to the exclusion of State activities coming under Title VI of the EU Treaty".Bulgaria

The first ruling on national laws transposing the Directive came from Bulgaria in proceedings launched by the NGO Access to Information Program. In December 2008 the country’s Supreme Administrative Court annulled an article of the transposing legislation permitting the Ministry of Interior “passive access through a computer terminal” to retained data, as well as providing access without judicial permission to “security services and other law enforcement bodies”. The court found that:
“[T]he provision did not set any limitations with regard to the data access by a computer terminal and did not provide for any guarantees for the protection of the right to privacy stipulated by Art. 32, Para. 1 of the Bulgarian Constitution. No mechanism was established for the respect of the constitutionally granted right of protection against unlawful interference in one’s private or family affairs and against encroachments on one’s honour, dignity and reputation.”
The court also found the legislation failed to make reference to other relevant laws – the Penal Procedure Code, the Special Surveillance Means Act and the Personal Data Protection Act – “which specify conditions under which access to personal data shall be granted.”Hungary

In June 2008 the Hungarian Civil Liberties Union (HCLU or TASZ, Társaság a Szabadságjogkért) requested “the ex-post examination” by the Hungarian Constitutional Court of the amendment of Act C of 2003 on electronic communications, “for unconstitutionality and the annulment of the data retention provisions.”
According to the HCLU, Act C “already comprised numerous restrictive data retention provisions prior to the directive. The only changes brought in by the amendments were the retention of Internet communications data and the elimination of the lax – but at least pre-defined – legal purposes of the data processing”. The HCLU argued that “the amendments completely disregarded the provisions of the directive [stating] that data should be ‘available for the purpose of investigation, detection and prosecution of serious crimes’.”
Despite being filed in 2008, the case is yet to be heard. According to Fanny Hidvégi of the HCLU, this is because as of 1 January 2012 new restrictions were placed on submitting cases to the Constitutional Court, and “every pending case submitted by a person or institution which no longer has the right to do so were automatically terminated”. The HCLU has begun a new and lengthy procedure that requires the exhaustion of all other remedies before the Constitutional Court can examine the Hungarian data retention measures.Romania

In October 2009, the Romanian Constitutional Court found that proposed national legislation implementing the Data Retention Directive violated Romanian constitutional provisions protecting freedom of movement; the right to intimate, private and family life; secrecy of correspondence; and freedom of expression. The court found that the government’s attempt to justify the mandatory retention of telecommunications data by invoking undefined “threats to national security” was unlawful. The Court also referred to the 1978 ECHR ruling in Klass v Germany, which stated that “taking surveillance measures without adequate and sufficient safeguards can lead to ‘destroying democracy on the ground of defending it’.”

In October 2011 the European Commission asked the Romanian government to bring forward new laws transposing the Directive, issuing a “reasoned opinion” under Article 258 of the TFEU, which carries the threat of full infringement proceedings at the European Court of Justice if the request is not met. A new law was duly drafted, but was rejected by the Romanian Senate. The law was heavily criticised in the media prior to the vote and the country’s Data Protection Authority had refused to endorse it, claiming that articles relating to the security services were “still vague”. Civil society organisations also opposed it and even the government refused to sponsor it, leaving the Minister of Communications and Information Society to propose it in his role as MP rather than minister. Strong support from the Minister of European Affairs fuelled criticism that it was motivated solely by the need to escape sanction by the European Court of Justice.

Ultimately the Senate vote was not decisive and the law continued its journey to the Chamber of Deputies, where at the end of May 2012 it was adopted with 197 votes for and 18 against, with many abstentions amongst the 332 deputies. There was no substantive discussion of fundamental rights issues in the Chamber of Deputies or the main two committees that debated the law and critics have argued that the provisions on access to retained data are even more problematic than the original statute. On 21 February 2013 the European Commission withdrew the infringement procedure that it had opened in 2011.

Cyprus

In February 2011 the Supreme Court of Cyprus ruled that aspects of the national transposing legislation breached the Cypriot constitution and case law on surveillance. The case was brought by individuals whose telecommunications data had been disclosed to the police in accordance with District Court orders. They argued that the laws underlying the orders were based (Articles 4 and 5 of Law 183(I) 2007, that sought to harmonise Cypriot law with the Directive), and therefore the District Court orders themselves violated their rights to privacy and confidentiality of communications. The Supreme Court found that petitioners had indeed been subject to a violation of their rights and annulled provisions it said went beyond the requirements of the Data Retention Directive. However, the legality of the Directive itself was not called into question.Germany

Legislation transposing the Data Retention Directive into the Telecommunication Act and Code of Criminal Procedure was passed by the Bundestag on 9 November 2007 and entered into force on 1 January 2008. The day before, 31 December 2007, 35,000 German citizens (represented by the NGO AK Vorrat) filed a complaint against the legislation at the Federal Constitutional Court.
On 2 March 2010 the Court ruled that the transposing provisions were a disproportionate interference with Article 10 (confidentiality of communications) of the Basic Law (Grundgesetz), and contravened legal standards on purpose limitation, data security, transparency and legal remedies.

However, the Court made no ruling on the actual Directive, stating that data retention is in principle proportionate to the aim of investigating serious crime and preventing imminent threats against life, body, freedom of persons, and the existence and security of the Federal Republic or one of its states. The Court found that the new domestic law failed to comply with legal standards on purpose limitation (restrictions on use of the retained data), data security, transparency and legal remedies.

In January 2011 the Ministry of Justice (MoJ) presented a paper proposing an alternative to data retention – a “quick freeze” system of limited data preservation for criminal investigations. The police and/or public prosecutors would issue a “quick freeze” order seeking access to metadata already held by telecommunications providers, for example for billing purposes. To actually access the “frozen”’ data would require the approval of a judge. In addition, the MoJ proposed an obligation for ISPs to store internet traffic data for seven days, allowing criminal investigators to identify persons behind (already known) IP addresses in particular in cases of child pornography. Criminal investigators would request the traffic and communications data via service providers without having direct access to these traffic data. This paper reflected proposals made in June 2010 by the Federal Commissioner for Data Protection, as well as the suggestions of more pragmatic privacy advocates.

More radical activists claim that any mandatory storage of communications data should be prohibited.
The Interior Ministry rejected these proposals and insisted on full implementation of the Directive, arguing that the Constitutional Court had already shown that it is possible to implement the Directive and ensure individual privacy through high data security standards, including encryption and the “four eyes principle” (approval by at least two people) as prerequisite for accessing data and log files; strict purpose limitation; and the protection of professions whose confidentiality must be ensured.

The MoJ produced a “quick freeze” bill in April 2012 but continued opposition from the Interior Ministry meant that it was never tabled in Parliament. The Interior Ministry was unhappy with the length of the proposed freezing periods, demanding three months instead of the one month suggested by the Ministry of Justice. Moreover, the Interior Ministry wanted to include crimes such as fraud and hacking. The controversy continues and no new legislation has yet been introduced.

By this time the European Commission had initiated infringement proceedings and took its case to the European Court of Justice in July 2012. The Commission is seeking to impose a daily fine of €315,000.

Czech Republic

On 13 March 2011 the Czech Republic's Constitutional Court declared national legislation implementing the Directive unconstitutional. It found that the retention period exceeded the requirements of the Directive, and that use of the data was not restricted to cases of serious crime and terrorism. “The national legislation lacked, according to the constitutional court, clear and detailed rules for the protection of personal data as well as the obligation to inform the person whose data has been requested.”
As in Germany, the Court stated that it could not review the Directive itself, but noted there was nothing in principle preventing implementation in conformity with constitutional law.

A second Constitutional Court decision in December 2011 examined the procedures put in place for obtaining access to retained data and found the “procedure in question to be too vague, in breach of [the] proportionality rule (its second step) and thus unconstitutional due to interference with right to privacy and informational self-determination.”
In the meantime the Czech government revised the implementing legislation with modifications that took account of the judgment.The NGO Iuridicum Remedium has lodged fresh proceedings against the revised legislation on the grounds that regulation remains inadequate and that the new decree could provide for the “monitoring of contents of Internet communications”.

Slovakia

In August 2012 a group of Slovakian MPs, supported by the European Information Society Institute, lodged a legal complaint against the legislation implementing the Data Directive. The complaint asks the Slovak Constitutional Court to examine whether the laws implementing the Directive and dealing with access by the authorities to retained data are compatible with constitutional provisions on proportionality, the rights to privacy and data protection, and the provision granting freedom of speech. It also argues that the measures infringe provisions guaranteeing privacy, data protection and freedom of expression in Slovakian human rights law, the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union. The complaint has not yet been resolved.Sweden

The European Commission has engaged in a lengthy battle to try to bring Sweden’s domestic legislation into line with the Directive. After the country missed the initial September 2007 deadline, the Commission brought infringement proceedings, with the European Court of Justice finding Sweden guilty of failing to fulfil its obligations in February 2010. A proposal for transposing legislation was put forward in December 2010 and adopted in March 2012.
The new law should have taken effect in May 2012 but despite an overwhelming vote in favour of the new measures in the Swedish parliament (233 MPs voted in favour with 41 against and 19 abstaining), the Left Party and the Greens invoked a constitutional provision allowing the entry into force of new measures to be delayed by a motion of one sixth of the parliament's members.

In May 2013, the European Court of Justice ordered Sweden to pay a €3 million fine for its delay in implementing the legislation. The Court rejected Swedish pleas regarding the domestic controversy over the implementation of the law:
“As the Court has repeatedly emphasised, a Member State cannot plead provisions, practices or situations prevailing in its domestic legal order to justify failure to observe obligations arising under European Union law... The same is true of a decision, such as the one made by the Swedish Parliament, to which paragraph 8 of this judgment makes reference, to postpone for a year the adoption of the draft bill intended to transpose that directive.”The Court of Justice of the European Union (CJEU)

The most serious challenge to the implementation of the Data Retention Directive has come from joined cases brought by the NGO Digital Rights and the plaintiffs in a case referred from the Austrian Constitutional Court.
The Advocate General's opinion on the case, published in December 2013 following a hearing in July, proposed that the Court declare the Directive as a whole incompatible with EU Charter articles 52(1) (limitations on rights “must be provided for by law and respect the essence of those rights and freedoms”) and 7 (right to privacy). The case focuses on the compatibility of the Directive with Articles 7 (respect for private and family life) and 8 (protection of personal data) of the European Union Charter of Fundamental Rights. At the hearing the representatives of those who brought the cases argued that the Directive is fundamentally incompatible with the Charter and that there is still no evidence to demonstrate that its necessity or proportionality.

On behalf of Austrian privacy group AK Vorrat, Edward Scheucher argued that:
“[T]he cumulative effect of fundamental rights restrictions need to be taken into consideration when judging the legitimacy of a single measure. Given the revelations regarding PRISM, this cumulative effect now clearly provides a different result [than] at the time when the German [Constitutional] Court took its decision [to annul certain provisions of German transposing legislation]. Furthermore, he stated that the Austrian implementation of the directive clearly showed that a Charter-compatible national implementation of the Data Retention Directive is not possible. This argument is bolstered by the fact that the main author of the Austrian implementation is among the 11,139 Austrian plaintiffs who challenged data retention before the Austrian Constitutional Court."

In response to requests for evidence demonstrating the necessity of the Directive, the Austrian and Irish governments presented new statistics on the use of retained data at the hearing. Also arguing in favour of the Directive were representatives of Italy, Spain and the UK, as well as the Commission, the Council and the Parliament.
However, the Directive’s advocates still “had to acknowledge a lack of statistical evidence”, with the UK admitting that “there was no ‘scientific data’ to underpin the need” for data retention. Judge Thomas von Danwitz, the Court’s main rapporteur for the hearing, asked for information that had led to the adoption of the Directive in 2006, given that “the Commission in 2008 claimed not to have enough information for a sound review”. The Council’s lawyers, meanwhile, “implored the Court not to take away instruments from law enforcement”.

Ultimately, Advocate-General Cruz Villalón concluded that the Court answer the cases in the following way:
“(1) Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC is as a whole incompatible with Article 52(1) of the Charter of Fundamental Rights of the European Union, since the limitations on the exercise of fundamental rights which that directivecontains because of the obligation to retain data which it imposes are not accompanied by the necessary principles for governing the guarantees needed to regulate access to the data and their use.
“(2) Article 6 of Directive 2006/24 is incompatible with Articles 7 and 52(1) of the Charter of Fundamental Rights of the European Union in that it requires Member States to ensure that the data specified in Article 5 of that directive are retained for a period whose upper limit is set at two years.”

Today's Grand Chamber judgment, which is analysed in Steve Peers' separate post, ultimately agreed with this recommendation. The EU has finally been forced to redraft its mandatory data retention rules.